Dennis Carney wrote:
> Regarding DoS attacks, it seems like we've already got that problem
> with Print-Job, don't we? I can write a client that sends a 10Mb
> print job using Print-Job, in 1 byte chunks, sent every 5 seconds.
> Then call that client 100 times concurrently, and I think I've
> probably pretty much taken the IPP printer out of commission. Right?
Not necessarily; print-job, print-uri, create-job, send-document,
and send-uri all define status codes and error handling scenarios
that allow the IPP printer/server to tell the client that it won't
accept any more jobs/documents, while the Create-Document and
Send-Data operations do not.
I'm not saying that we can prevent DoS attacks (we can't), but
the new operations did not define the necessary status codes and
implementation guidelines to prevent a conforming client
implementation from causing a DoS attack "accidentally" as a
result of its error handling, e.g. retrying the request(s).
So, as my comments have indicated all along, if we need the
functionality provided by Create-Document and Send-Data (and
so far I haven't seen any use cases that aren't adequately
handled by using the existing Validate-Job and Send-Document
operations), then we need to define the necessary additional
status codes and specify the appropriate error handling behavior
of clients to 1) allow servers to detect and handle resource
abuse, and 2) allow clients to respond to server resource errors
appropriately to prevent accidental DoS attacks.
> I would think the same sort of attack would work against LPR, raw
> ports (9100), and probably most (all?) other print protocols.
Actually, in the case of many printers, only a single client can
connect to a printer's network interface (for printing anyways),
so a simple DoS attack is to just hold a connection open to prevent
others from printing. However, that is at a different level and
the extensions we are talking about will likely *not* be
implemented for resource-limited devices such as network cards
> So getting rid of Create-Document and Send-Data purely for DoS
> reasons do not seem to make sense to me.
That isn't the reason for removing them, just to fix them. The
fact that Validate-Job and Send-Document can provide the same
functionality is a much better reason IMHO.
-- ______________________________________________________________________ Michael Sweet, Easy Software Products mike at easysw dot com Printing Software for UNIX http://www.easysw.com
This archive was generated by hypermail 2b29 : Thu May 22 2003 - 11:31:33 EDT